The cyberattacks on super funds present a stark reminder for advice practices it is always important to constantly review your cybersecurity systems to prevent a breach.
Earlier this month it was revealed cybercriminals targeted the country’s biggest super funds including Insignia Financial’s MLC Expand platform, AustralianSuper, Australian Retirement Trust, Rest and Hostplus which resulted in losses of at least a combined $500,000 for members.
Super Consumers Australia chief executive Xavier O’Halloran said the cyberattacks were “a failure” by the Association of Superannuation Funds of Australia.
Cyber security service The Cyber Collective founder Fraser Jack says he doesn’t see the recent cyberattacks as “a failure” on the part of the super funds, but admits there will be more attacks in the future as funds “would have fended lots and lots of attacks”.
“From the super funds’ point of view, the last thing they need is their brand soiled by these sorts of things,” Jack tells Professional Planner.
Thriving Wealth financial adviser John Koutsouroupas says he doesn’t have concerns about the security of the super funds.
“Especially with Australian Retirement Trust, they have two-factor authentication, which we’re encouraging our clients to use, just to prevent that kind of thing happening. So even if they did get in, they’d be getting text messages saying this is your code, can you please verify it to log in.”
House in order
While the most recent attack focused on institutions, the advice sector hasn’t been without target with licensee RI Advice being penalised by ASIC in 2022 over a breach of obligations, after several cyber incidents occurred at authorised representatives of the licensee.
For his own practice, Koutsouroupas believes it “absolutely” has sufficient cybersecurity measures.
“We don’t really send any documents over email,” Koutsouroupas says.
“Everything’s done in our client portal and for clients to access that portal, they essentially need two-factor authentication every time they log in.”
He says the practice does not currently have major concerns about cybersecurity as they have an IT team to ensure they have measures in place for devices including laptops to be remotely shut down if an issue potentially presents.
Jack says advice firms have moved away from handling cybersecurity themselves, which is a positive step.
“They’re investing in their technology and having a managed service provider. They’ve got an IT professional in their corner,” Jack says.
Koutsouroupas says Thriving Wealth are “pretty happy” with their current cybersecurity measures.
“I don’t necessarily think we need to add anything for now, but it is something that does constantly get reviewed,” Koutsouroupas says.
‘Fine line’
Jack says advice practices should focus more on communicating with their clients about the cybersecurity protocols in place but concedes it’s a fine line for businesses to tread.
“The communications are difficult for a couple of reasons – you’ve got a legal obligation, and then you’ve got the empathy of that actual member themselves,” Jack says.
“When you’re in an advice relationship, or a client member relationship with a firm, it’s pretty important to make sure that you’re looking after the emotional needs of the individual member or client.”
He recommends practices engage communication experts to tell them exactly what members need to be aware of, but also ensure not too much specific information is given away.
“It’s a fine line in the world of cyber between telling everybody what you have set up, which then makes you vulnerable to somebody wanting to use that information against you, but letting people know that you are doing certain basic hygiene levels,” Jack says.
“You can talk about strategies, for example, but not products.”
Jack says smaller advice practices are in a difficult spot because they must behave like a larger business when it comes to their cybersecurity on the budget of a smaller business.
“They don’t think about things like their compliance documentation [and] the mandatory team training that they should have in place,” Jack says.
